Several months ago, our VMware Update Manager simply stopped updating from its Shavlik repository. It seemed to only affect Windows patches being downloaded and the VMware patches continued without any issues. After a few months of troubleshooting with VMware support, a resolution was located and implemented in our environment and its a pretty simple solution.

Problem background

For a bit of background, the primary issue we noticed is that when trying to download updates from the repository, I received a generic error “Cannot download patch definitions” in the vCenter tasks. After looking into it, I found that if I unchecked the Windows patch option in the Patch Download Settings section of Update Manager’s configuration tab, the error would not appear. It was only when Windows patches were enabled that the error happened.

I uninstalled and reinstalled Update Manager against the same database and reinstalled a second time with a new database. Neither of these steps fixed the problem and so I opened a case with VMware support.

With support, I began digging into the log files for Update Manager and found more details in the files. We noticed the Update Manager would pull down a .cab file from the Shavlik servers. After the successful download, Update Manager immediately logged an error, “Error downloading new Windows updates: Cannot de-obfuscate Shavlik metadata file.” Although the error gives a little more detail, it still wasn’t enough to point to a concrete cause. It took VMware a couple of months, but finally, a simple solution was found.

The Solution

The issue is due to an untrusted certificate associated with the signed .cab file being downloaded. Since the file is digitally signed, the untrusted certificate was causing the issue. At some point earlier this year, the Shavlik Windows patches began using a new Verisign certificate that was not installed on my Windows Server 2008 server (not R2). To fix the problem, follow these steps:

Click Next and choose the Place all certificates into the following store option. Click Browse and select the Trusted Root Certification Authorities store. Click Next and then click Finish.

At this point, the missing trusted CA certificate is installed and your download process should begin working again. In my environment, Update Manager is running under original Windows Server 2008 version and not under the 2008 R2 version. I suspect many people have vCenter and Update Manager running on Windows Server 2008 R2, which may not encounter this issue (I am not sure). VMware Support indicated that a KB article will be published for this issue. I will try to followup and link it once it is published.

About the Post

Author Information

Philip is a senior-level systems administrator for America’s largest telephone cooperative, Horry Telephone Cooperative, in Conway, SC. He primarily focuses on Microsoft technologies, VMware virtualization, blade servers, storage and infrastructure for the co-op. He is a technical jack of all trades, but has become an expert in vSphere, Microsoft technologies, IT infrastructure and the Macintosh.

Trackbacks/Pingbacks

[…] it turns out our issue was an untrusted root certificate. Well now, if that sounds familiar, I ran into this same type of problem with VMware Update Manager last year when new certificates were…. Although it was a different root certificate, it was the same basic […]

VMware Blogs

Blog with Integrity

The views and opinions written on this site are my own. Reader trust is extremely important to me. I do not generally post advertorial content, but when or if partner posts are used, they will be identified. I retain editorial control of any content posted and review every post to ensure viewpoint with which I agree. I accept products and trips sponsored by vendors for the purpose of give-aways and information to post on this blog site, however, any vendor relationships will be disclosed to readers. Ads are used in the sidebar, header and footer to help offset the costs of maintaining the site.